Learn about some SQL injection methods in php

I understand some SQL injection methods in php. The following describes all the most common SQL injection methods. For more information, see.

What is injection?

For example, when we query the database, we use the ID number of the Article to retrieve all the information in this article. The SQL statement can be written as follows:

The Code is as follows:	Copy code
Select * from blog where id = 5

The value of id is transmitted through user operations. Generally, it is in the GET mode, such as read. php? Id = 5. It seems that there is no problem, but if we change the SQL statement slightly:

The Code is as follows:	Copy code
Select * from blog where id = 5 or 1 = 1

1 = 1 This is a constant, so this statement will retrieve all the articles. To modify this, you only need to change the GET value to read. php? Id = '5 or 1 = 1'; pay attention to the two single quotes... so the simplest thing is that we can directly change the parameters to single quotes to check whether the link has been injected. Of course, it doesn't matter if an invalid user sees all the articles, but what if the table stores the account and password?

2. How to Prevent injection?

In the end, the prevention of injection lies in the filtering of characters, because illegal users generally construct URLs to transmit values. If we filter out the illegal parameters that are passed in, this illegal SQL statement will not be executed, so we will prevent website injection!

PHP built-in filter string is still quite good. first look at the specific code:

The Code is as follows:	Copy code
Function safe ($ s) { If (! Get_magic_quotes_gpc ()) { If (is_array ($ s )) Foreach ($ s as $ key => $ value) $ S [$ key] = addslashes ($ value ); Else $ S = addslashes ($ s ); } Return $ s; }   Function html_safe ($ s) { Return nl2br (htmlspecialchars (safe ($ s ))); }

If you don't know the built-in functions used above and are too lazy to check the manual, let me talk about these functions:

Magic_quotes_gpc is a magic quotation mark. If this function is enabled, when data is inserted into the database, what magic quotation marks do is to automatically apply addslashes () to all GET, POST, and COOKIE data () function. Get_magic_quotes_gpc () is used to obtain whether this function is enabled on the server. If this function is enabled, data is directly returned. If this function is not enabled, the parameter is manually escaped by addslashes. This prevents double-layer escaping ~

Addslashes -- uses a backslash to reference a string. Description: string addslashes (string str); Return string. This string must be prefixed with a backslash before certain characters for database query statements. These characters are single quotation marks ('), double quotation marks ("), backslash (), and NUL (NULL ). An example of using addslashes () is when you want to input data into the database. For example, insert the name 'Reilly into the database, which requires escaping. Most databases use it as the Escape Character: o'reilly. In this way, the data can be put into the database without inserting additional data. When the PHP Command magic_quotes_sybase is set to on, it means that when 'is inserted,' is used for escape.

The following htmlspecialchars converts the characters in Html. For example, convert '&' to '& amp' and '<' to '& lt '. Nl2br converts the line breaks into <br/>, which is used when users enter comments and other information.

Through the above functions, we can filter some simple injections. There are also several small aspects:

For the first example, there are actually many improvements. For example, writing it seems to be more standard:

The Code is as follows:	Copy code
SELECT * FROM 'blog 'WHERE 'id' =' $ id'

SQL keywords are expressed in upper case, and tables and fields in the database are expressed in lower case, in addition, the field name and table name are added with the "·" symbol (the key on the left of number 1 on the keyboard), and we use single quotation marks on the incoming id.

If the input parameters are of the numeric type, we can forcibly convert the value from $ _ GET. But I prefer this:

The Code is as follows:	Copy code
$ Id = $ _ GET ['id'] * 1; // gets the id of an article to display the article information. If ($ id = 0 ){ Echo "ERROR ..."; Exit (); }

If it is found that the data is not passed in, it is highly likely that there is a problematic parameter, so we will directly give an error prompt and exit, this saves the trouble of performing database query operations for illegal users.

Finally, let's take a look at a place in JBlog for processing injection:

Lines 38 of includecommon. php

The Code is as follows:	Copy code
If (! Get_magic_quotes_gpc ()){ $ _ GET = add_slashes ($ _ GET ); $ _ POST = add_slashes ($ _ POST ); $ _ COOKIE = add_slashes ($ _ COOKIE ); }

Includefunc_global.php's 194 rows

The Code is as follows:	Copy code
// Addslashes Function add_slashes ($ string ){ If (! Is_array ($ string) return addslashes ($ string ); Foreach ($ string as $ key => $ val ){ $ String [$ key] = add_slashes ($ val ); } Return $ string; }

Of course, this should be only part of it, and the rest should be similar.